Windows XP Machines Always Prompt for Credentials (Exchange 2013, Outlook 2010)

I am running Exchange 2013 on Server 2012 Datacenter (VM).  Windows 7 clients with Outlook 2010 work fine.  Windows XP clients with Outlook 2010 prompt for credentials (user name and password) each time Outlook is started, and checking the "Remember my password" box does not prevent this from happening the next time.  The "Always prompt for logon credentials" checkbox on the "Security" tab of the "More Settings" section of the Exchange account is not checked.  I have found a myriad of posts with similar issues, but they all seem to have to do with SBS/Exchange 2007, and I haven't come across something that works as a solution for me.  One suggested certificate issues, and I was having certificate security warnings, but I got that resolved.  I am hopefuly that the fact that this only happens on Windows XP will be telling.

November 19th, 2012 10:24pm

I know this is Exchange 2013 and not Exchange 2010, but I suspect the issue is the same since the clients are Windows XP.

See:

http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/a7c25d6a-7cfc-40a1-a17e-a1f05f637d53

Free Windows Admin Tool Kit Click here and download it now
November 19th, 2012 10:34pm

Does the XP machine have the root and intermediate certificates for your issuer?

Is Outlook using TCP (RPC) or HTTP (Outlook Anywhere)?  You can find out by using the Connection Status window.  XP can have problems when the certificate's CN is not the same as the Outlook Anywhere hostname.

November 19th, 2012 10:36pm

I'm not sure what the clients are using.  They are using whatever they default to when they detect the Exchange account.  To be more verboseI installed Exchange, and it generated a self-signed certificate.  I started Outlook on the XP machines, and they automatically detected the Exchange server, but complained that they didn't trust the root (since the default certificate was self-signed).  I added it to the Trusted Root section of the certificate store, and the complaint went away.  Users had to log in to start Outlook, but there was no more warning about the certificate.  Later, I installed a certificate for the external name, and then the XP machines started complaining about the name not matching, but the Windows 7 machines did not.  External connections were still receiving the internal certificate, so I ran Enable-ExchangeCertificate to correct that, and then all machines started complaining about the certificate not matching.  I used the steps in kb article 940726 to resolve that (I had actually taken most of the steps before finding the article).  Once that was completed, no machines complained about mismatches.  I am not sure whether or not intermediate certificates are missing from the certificate store, but I can tell you this:  When I go to https://<externalfqdn>/owa, I am able to log in from the same XP machines that won't automatically log in from Outlook, and there is no certificate warning in IE.

I am going to try this:

Set-OutlookProvider EXPR -CertPrincipalName <externalfqdn>

I will respond tomorrow regarding whether or not it worked.  However, since Get-OutlookProvider also shows EXCH and WEB, should I do the same for EXCH and/or WEB?  Currently, that setting appears to be null for all three.


ETA: I am NOT using a wildcard certificate and I did NOT include "msstd:" before <externalfqdn>.  Should I have?
  • Edited by PRDIT Monday, November 19, 2012 11:19 PM
Free Windows Admin Tool Kit Click here and download it now
November 19th, 2012 11:15pm

See my response to the OP, there were two posts I wanted to respond to at the same time, and I thought responding to the OP would put me at the bottom, it didn't.
ETA: My post now shows at the bottom, but as the thread grows, with no new responses to my response or the OP, it moves further and further from here.
  • Edited by PRDIT Monday, November 26, 2012 9:02 PM
November 19th, 2012 11:16pm

See my response to the OP, there were two posts I wanted to respond to at the same time, and I thought responding to the OP would put me at the bottom, it didn't.
ETA: My post now shows at the bottom, but as the thread grows, with no new responses to my response or the OP, it moves further and further from here.
  • Edited by PRDIT Monday, November 26, 2012 9:03 PM
Free Windows Admin Tool Kit Click here and download it now
November 19th, 2012 11:16pm

Hi ,

Do you have any antivirus on xp client ? if yes, please disable it and test again.

And please ping autodiscover.domain.com to verify if it can discover it.

Please check if the certificate include autodiscover.domain.com.

Please also try login Outlook use the same user on Win7.

November 20th, 2012 8:21am

Hi ,

Do you have any antivirus on xp client ? if yes, please disable it and test again.

And please ping autodiscover.domain.com to verify if it can discover it.

Please check if the certificate include autodiscover.domain.com.

Please also try login Outlook use the same user on Win7.

The XP clients do have antivirus, disabling it made no difference.

autodiscover.<domain> is not included in our DNS, and as such, cannot be pinged.  Likewise, there is no autodiscover certificate, and no certificate with autodiscover included.

Outlook works fine in Win7 consistently.

I could add autodiscover to DNS manually, but I am not sure whether or not I should try this.  Note that once credentials are entered, Outlook works fine on the XP machines (they aren't prompted for cerdentials again until Outlook is closed).  No server information was manually entered, so obviously it was gathered from AD like it should be.  Is there really any possibiity that the autodiscover name is needed in this case?

Free Windows Admin Tool Kit Click here and download it now
November 20th, 2012 2:20pm

Hi ,

Is there certificate warnning  when you logon outlook on the xp client ?

You can test on the following page to confirm whether there is certificate issue.

https://www.testexchangeconnectivity.com/

November 21st, 2012 2:36am

Hi ,

Is there certificate warnning  when you logon outlook on the xp client ?

You can test on the following page to confirm whether there is certificate issue.

https://www.testexchangeconnectivity.com/

There was a certificate warning initially, but I got that straightened out.  To be clear, I can tell you that we have external and internal devices connecting fine.  I haven't seen any certificate warnings since I started this thread.  I have the following warnings when I do an Outlook Anywhere connectivity test:

1)

Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
 
Additional Details
  ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.

I am fairly certain this is not a problem, because I am using WSUS and root certificate updates seem to come through fine.

2)

Attempting to ping RPC proxy mail.prd-inc.com.
  RPC Proxy can't be pinged.
 
Additional Details
  A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.

I am not sure what to make of this.

In case it is relevant, I should note that I provided the connectivity information for the test, as there is no autodiscover dns entry.
  • Edited by PRDIT Monday, November 26, 2012 3:13 PM autodiscover info added
Free Windows Admin Tool Kit Click here and download it now
November 26th, 2012 3:10pm

Hi ,

Did you add autodiscover record on DNS ?

And whats the results ?

November 28th, 2012 12:08pm

Hi ,

Did you add autodiscover record on DNS ?

And whats the results ?


No, does an internal XP machine use autodiscover DNS?  If so, why are they connecting without it at all?  I believe the autodiscover issue is external only, and it isn't affecting us (even on external [rim,android,ios] devices, which we have working fine).  I can add autodiscover, but I would like to understand wat it could possibly have to do with prompts for credentials first.
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2012 3:34pm

I am also
having the same issue as you. I am running windows XP with outlook 2010
connecting to exchange 2013. I receive the credentials prompt for my XP
workstation inside the network but none of my windows 7 boxes have any issues.
Did you find the resolution for this?<o:p></o:p>

Thanks

David

December 10th, 2012 9:08pm

I have not found resolution.  However, I have deployed an AD Certificate Services Root CA and added its cert to the default computer GTO trusted Root CA list in order to make RDS work better without buying a cert.  I get the same prompt when connecting an XP machine to RDS (after enabling NLA in XP), so I am thinking XP may just not be capable of passing credentials through to these newer server services.  That said, this is speculation, and I won't mark this as the answer since I don't have confirming documentation.
Free Windows Admin Tool Kit Click here and download it now
December 12th, 2012 2:12pm

I have confirmation from a Microsoft support tech that this is expected behavior not related to certificates.  Spefically, Windows XP will have to pop up the authentication box for web access, and Outlook must use web access for Exchange 2013.  I did not prompt the tech as to why the save option doesn't work, but I am going to mark this post as the answer to close out this thread.
  • Marked as answer by PRDIT Wednesday, January 02, 2013 5:54 PM
January 2nd, 2013 5:54pm

I have the same question for Internet Explorer 6, 7 and 8

http://social.technet.microsoft.com/Forums/en-US/ieitpropriorver/thread/c379f745-2215-463a-b6cb-aa032e803970/#c379f745-2215-463a-b6cb-aa032e803970

Free Windows Admin Tool Kit Click here and download it now
March 27th, 2013 8:04pm

Unfortunately, it looks like you have the opposite problem from what I had (we always got the logon prompt, even though we didn't want it), so I can't be of much help there.
March 28th, 2013 3:47pm

we always got the logon prompt, even though we didn't want it

We have the same problem, but it happens with Internet Explorer instead.

Doesnt matter if you type the right or the wrong password, IE always prompt for password.

Free Windows Admin Tool Kit Click here and download it now
March 28th, 2013 5:15pm

OK, I guess you meant "don't stop asking" when you typed "don't stop to ask".  Presumably this means you are translating from another language or English is not your first language.  That having been said, the post I marked as an answer implies that what you are experiencing would be considered normal by Microsoft as well.  This is the relevant section: "Spefically, Windows XP will have to pop up the authentication box for web access."
March 28th, 2013 5:37pm

Yeap, my english is too bad...

The root question is: "why the save option doesn't work?"

Free Windows Admin Tool Kit Click here and download it now
March 28th, 2013 6:40pm

Now I understand.  Unfortunately, I don't know the answer.  I do think it is for the same reason in both scenarios, though.
March 28th, 2013 8:58pm

Proxy settings:

 auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
 auth_param ntlm children 50
 auth_param ntlm keep_alive on
 auth_param basic program /usr/lib/squid3/squid_ldap_auth -R \
         -b "DC=domain,DC=local" \
          -D "CN=Squid Proxy,OU=TI,OU=Domain,DC=domain,DC=local" \
          -W passldap \
          -f "sAMAccountName=%s" \
          -h domain.local
 auth_param basic children 20
 auth_param basic realm Domain Internet Proxy
 auth_param basic credentialsttl 8 hours
 external_acl_type ADS children=50 ipv4 ttl=60 %LOGIN /usr/lib/squid3/squid_ldap_group -S -K -b "DC=domain,DC=local" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof     =CN=%a,OU=Domain,DC=domain,DC=local))" -D "CN=Squid Proxy,OU=TI,OU=Domain,DC=domain,DC=local" -s sub -W ldappass domain.local
tks.
Free Windows Admin Tool Kit Click here and download it now
April 10th, 2013 12:51pm

Try this trick:

http://sumoomicrosoft.blogspot.ru/2012/12/exchange-2013-outlook-keeps-asking-for.html

Solution:
Edit group policy Lan Manager Authetification level, set it to Send NTLM responses only or above.
or
You must set the LmCompatibilityLevel on your client to a value of 2 or 3. To do this, follow these steps.


1.      Click Start, click Run, type regedit in the Open box, and then press ENTER.
2.      Locate and then click the following registry subkey: 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
3.      In the right pane, double-click lmcompatibilitylevel.
4.      In the Value data box, type a value of 2 or 3 that is appropriate for your environment, and then click OK.
5.      Quit Registry Editor.
6.      Restart your computer.

April 22nd, 2013 5:47am

I've tried it already, but doesnt work.

I've changed my squi proxy settings, now it works. =)

Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2013 4:37pm

I was able to resolve this issue:

You have to generate a new self-signed certificate in the iis8 of the Exchange. The "builtin" certificate is for the name "server" (not the FQDN) and not for "server.contoso.com"

XP insists on having the correct certificate in its storage. Correct means, the certificate is for the same name as the proxy being used to connect to the exchange. The one with msstd:server.contoso.com....

Generate the certificate for server.contoso.com (this can now be done without having an own CA) on your Exchange, distribute it via GPO or import it manually an everything works like a charm, even on WinXP with Outlook 2010.

  • Proposed as answer by DmitryK Friday, April 26, 2013 11:55 AM
April 25th, 2013 12:19pm

I didn't undestand exactly how you solved the problem.

I already have the certificate on IIS for exchange.mydomin.com, do I need to import that certificate on Windows XP client? Right click - install certificate?

Thank you in advance.

Free Windows Admin Tool Kit Click here and download it now
May 18th, 2013 11:40pm

is exchange.maydomain.com your local domain or your domain in the www?

you need a certificate for the name, that outlook uses in its proxy settings to connect to the exchange server. this certificate needs to be installed in the local computer storage. I've done that via a gpo, but manual installation should also work.

May 21st, 2013 7:17am

I've the same problem:

I have installed a new Echange Server 2013 in the Organization. I've configured the Mail Flow, domains and so on.

I have installed certificates and when using OWA, all the users can see the email.

I have configured Outlook 2010 on Windows 7 and on Windows XP with service pack 3. 

I have no problem with Windows 7 but when I try to connecto to Exchange from Windows XP system, Outlook can't connect to Exchange Server.

My domains are: mail.external.com as internet domain and SRV1.domain.local for the local domain.

What I don't understand is: what have I to set when I generate the self-signed certificate in order to do it for the servername ? You mean to do it by EAC right?

And then, when I've exported it (from EAC), which certificate folder have I to use in XP where to import it?

Thanks in advance

Alberto




Free Windows Admin Tool Kit Click here and download it now
September 11th, 2013 5:59pm

Hi

Ran into the same problem on my LAB. Windows 7 computer with Outlook 2007 and newer could connect. Windows XP computer with Outlook 2007 and newer I could configure to use Exchange 2013, but it kept on prompting for credentials when opeing Outlook. Looked everywhere on the Internet, but could not find anything. All solutions for other people did not work for me. I stumbled upon this website - http://arstechnica.com/civis/viewtopic.php?t=1200405.

This is exactly what happened to my XP computer. The only way I could get Outlook on XP to connect to Exchange 2013 was to change the "Logon Network Security" to "Password Authentication (NTLM)" on security tab under more settings in Outlook.

Outlook will then connect and after some time or when I close and open Outlook again, it will prompt me for credentials again and the setting have changed back to Negotiate.

How my settings was when running powershell - Get-OutlookAnywhere | Fl Identity,*auth*
Identity : Exch2013Server\Rpc (Default Web Site)
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Negotiate
IISAuthenticationMethods : {Negotiate}

                                                                                                                               
What I did to resolve and get Outlook to connect with Negotiate setting. Outlook proxy setting is on NTLM.
Set-OutlookAnywhere -Identity "Exch2013Server\Rpc (Default Web Site)" -IISAuthenticationMethods Basic,Ntlm,Negotiate

This was the result running the Get command above again
Identity                           : Exch2013Server\Rpc (Default Web Site)
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Negotiate
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}

Did a iisrest on Exch2013Server

Went to XP computer and opened Outlook and Outlook opened and connected to Exch2013 without prompting me for credentials. Went into the settings for Outlook and it is set to Negotiate (The way it defaulted back to after some time). Closed Outlook and it connected again. Restarted computer and Outlook still connected without prompting me.

Regards,
SuperBulls

October 14th, 2013 6:56pm

I follow ED Crawley.

I just change common certificate name match with outlookanywhere name and that's it.

You save me again Ed Crawley


Free Windows Admin Tool Kit Click here and download it now
November 11th, 2013 6:23am

no It is no expected behavior, Microsoft is group of loosers ! :-)

you can use this script for repair "password prompting"

http://jaworskiblog.com/2013/04/13/setting-internal-and-external-urls-in-exchange-2013/

the main goal is set 

Set-OutlookAnywhere -Identity $ExServer\Rpc (Default Web Site) -InternalHostname $internalName -ExternalHostName $ExternalName -InternalClientAuthenticationMethod ntlm -InternalClientsRequireSsl:$True -ExternalClientAuthenticationMethod Basic -ExternalClientsRequireSsl:$True

The both clients sites Internal and External has to be set for SSL !

December 3rd, 2013 6:16pm

You are welcome.  Please feel free to mark my answer as helpful.
Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2013 6:54pm

You are the OP.
December 3rd, 2013 6:55pm

Hi Ed, sorry for "noobing", what is OP. :-)

Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2013 7:03pm

"Original Poster", the person who started the thread.
December 3rd, 2013 10:23pm

Hi,
The solution of problem I found is:
1. Disable Autodiscover for user - in windows profile

To do this (Outlook 2007) I set registers:

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover]
"ExcludeScpLookup"=dword:00000001
"ExcludeHttpRedirect"=dword:00000001
"ExcludeHttpsAutoDiscoverDomain"=dword:00000001
"ExcludeHttpsRootDomain"=dword:00000001
"PreferLocalXML"=dword:00000001
"ExcludeSrvRecord"=dword:00000001

2. Uncheck option "only connect to proxy servers that have this principal in there certificate" in connection settings
( I am using Basic Autentication)

That's it. Works for me (Exch2013, Outlook2007 on WinXP)
I hope this way could help someone...
Regards

  • Proposed as answer by WereWolf00 Thursday, April 24, 2014 10:50 AM
  • Marked as answer by PRDIT 14 hours 37 minutes ago
Free Windows Admin Tool Kit Click here and download it now
March 28th, 2014 10:37am

Hi,

i have solved this issue.

i had the same Problem with Windows XP and Office 2010. On Windows 7 and Office 2010 it works fine then ive tested with Office 2007 and Win XP and it also works fine.

It seems to be that issue occurs if Office 2010 ist installed with SP2 and all patches are installed.

However, i have reinstall Office 2010 without any Service Pack and without any Updates and it works fine.

I dont know what exactly is responsible for the problem but Windows XP and Office 2010 Without SP and Update seems to work fine.

Hope this is helpful.

June 13th, 2014 12:13pm

Thanks DikSoft, your suggestion fixed my issues.
Windows XP Machines Always Prompt for Credentials (Exchange 2013, Outlook 2010)
On XP workstation I Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel = 2
Rebooted XP workstation then Outlook did not prompt for credentials


Free Windows Admin Tool Kit Click here and download it now
June 17th, 2014 1:41am

Thanks Ed. This resolved my issue:

Set-OutlookProvider EXPR -CertPrincipalName:msstd:mail.company.com
After running the command issue iisreset.

  • Proposed as answer by AntonyFats Monday, November 24, 2014 4:03 PM
August 4th, 2014 5:19pm

I all,

I had the same problem.

Scenario Windows XP SP3, Outlook 2010 SP2 (13.0.7015.1000) ;

CAS on Exhange Server 2013 SP1 (CU4); WIndows Server 2012 R2;

The autodicosver works fine, without configurinte any CertProvider name, here below the EMS output:

[PS] C:\>Get-OutlookProvider  |fl Identity, CertPrincipalName

Identity          : EXCH

CertPrincipalName :

Identity          : EXPR

CertPrincipalName :

Identity          : WEB

CertPrincipalName :

The problem was related to the Authentication set to NTLM Exchange side.

Windows XP get stuck trying to connect to Exchange.

We modified the following with "Basic AuthenticatioN" and it works like a charm:

PS] C:\>Get-OutlookAnywhere | Fl Identity,*auth*

Identity                           : xxxxxx\Rpc (Default Web Site)

ExternalClientAuthenticationMethod : Basic

InternalClientAuthenticationMethod : Basic

IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}

The Outlook Client Configuration on Windows XP , now has "Basic Authentication":

Proxy_Authentication

Free Windows Admin Tool Kit Click here and download it now
November 24th, 2014 4:14pm

Hi,
The solution of problem I found is:
1. Disable Autodiscover for user - in windows profile

To do this (Outlook 2007) I set registers:

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover]
"ExcludeScpLookup"=dword:00000001
"ExcludeHttpRedirect"=dword:00000001
"ExcludeHttpsAutoDiscoverDomain"=dword:00000001
"ExcludeHttpsRootDomain"=dword:00000001
"PreferLocalXML"=dword:00000001
"ExcludeSrvRecord"=dword:00000001

2. Uncheck option "only connect to proxy servers that have this principal in there certificate" in connection settings
( I am using Basic Autentication)

That's it. Works for me (Exch2013, Outlook2007 on WinXP)
I hope this way could help someone...
Regards

Solved !!!! Thanks :) 
June 3rd, 2015 12:27pm

This method solve Windows XP required password exchnage 2013 issue. Thanks !!!
Free Windows Admin Tool Kit Click here and download it now
June 3rd, 2015 12:28pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics